SAN FRANCISCO -- Two unidentified women set up ISP accounts that were used in a three-day automated attack this week on religious Usenet computer bulletin board newsgroups. The attackers used familiar newsgroup member names in sending thousands of off-subject, often vulgar, posts to a number of alt.religion groups on the Internet.
Netroplex Internet Services, a small Los Angeles-based Internet service provider, disconnected the two accounts on this week after determining they were used to launch the attacks.
The posts were likely generated by an automated program that collected posts from other newsgroups and sent them, en masse, to the alt.religion newsgroups. Generally, the posts weren't relevant to the newsgroup subjects, and many were laced with vulgarities and pornography.
Chris Caputo, president of Altopia Corp. -- the company that provides Netroplex with its newsfeed -- said more than 10,000 forged posts were sent from Netroplex accounts beginning late Sunday.
The forged notes continued at the rate of 8 to 20 posts a minute until early Wednesday, when Netroplex policy manager Laurent Kim disconnected the second of two accounts used to launch the attack.
"We found out who the users were," said Kim. "It was two different people who walked into our office, and paid cash for their accounts."
Kim said that the individuals--- both women--- had given phony contact information. The first woman signed up with the ISP on 8 September and started sending forged articles on Sunday; the second obtained an account on Tuesday, and was disconnected a day later.
While the company is not looking into legal action, Kim said it will hand over Caller ID data from the dialup lines to any court of law that requests it. He stressed that his company is also a victim of the attack, because it has had to deal with the thousands of messages received from people around the world who are upset about the forgeries.
Since one or two people couldn't manually post all of the messages, Caputo suspects that the perpetrators wrote a program to do it. The forged articles had valid names and email addresses, and subject lines that looked appropriate for each group. But the body of each message contained an old news posting, often with pornographic content.
The spam attack prevented actual conversation on many newsgroups, since it was difficult to distinguish which of the messages were real.
The forgeries could also come back to haunt the people whose identities were used on the postings. DejaNews, which provides a way to read and post to approximately 15,000 Usenet newsgroups, has a popular tool called "Author Profile" that displays a list of all articles that a user has posted, and may include some of the forged posts.
Most of the forged posts never made it to DejaNews' archives, according to David Wilson, the company's vice president of marketing.
"We have several layers of spam filtering, and we caught several thousand of those things--- actually, a few thousand at a time, from what I'm told," Wilson said.
According to Wilson, the company used a combination of technologies to rid their archive of spam.
"I can't tell you how the filters work, because if I did, then whoever posted the forgeries would be able to find a workaround," Wilson said. "It's a cat-and-mouse game."
As for the inevitable remaining forgeries in the archive, Wilson said, "A user always has the ability to delete a message from the archive that was posted under their identity. And so if this forger posted something under someone else's identity, they can come to our site and nuke that article."
"Lots of my posts have shown up, under different names and titles, on alt.religion.christian, alt.religion.islam, alt.religion.mormon, alt.religion.wicca, alt.atheism, sci.philosophy.meta," said Greg Ford, a regular poster to alt.religion.angels.
It got so bad that many of the regulars of alt.religion.wicca started signing their posts using encryption software as a means of verifying their identity.
Although the attacks targeted religious newsgroups, the motives of the forgers are unknown.
Some sources said it could be a prank orchestrated by critics of Caputo's Altopia news service, disliked by some for what they say is a lenient policy on spammers and other Net-abusers. The prospect of a mass boycott has been debated for some time on news.admin.net-abuse.usenet, and an Aug. 29 post suggests the possibility of launching a rogue attack from Altopia.
Copyright © 1998, The Detroit News